FeaturesPricingFAQStart Free Trial

Data Processing Agreement

Effective: June 2, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Unheadless ("Processor," "we," "us"), and you ("Controller," "Customer"), and governs the processing of personal data by Unheadless on behalf of the Customer.

This DPA is designed to meet the requirements of Article 28 of the General Data Protection Regulation (EU 2016/679) ("GDPR") and the UK GDPR.

By using the Unheadless Service, you accept this DPA on behalf of yourself and, where applicable, the organization you represent. If your organization requires a countersigned version of this DPA, contact privacy@unheadless.com.

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person, as defined in Article 4(1) of the GDPR
  • "Processing" means any operation performed on Personal Data, including collection, storage, retrieval, use, and deletion
  • "Controller" means the Customer, who determines the purposes and means of processing Personal Data
  • "Processor" means Unheadless, which processes Personal Data on behalf of the Controller
  • "Subprocessor" means a third party engaged by the Processor to process Personal Data
  • "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates

2. Scope & Purpose of Processing

2.1 Subject Matter

The Processor provides a read-only content reporting and inventory platform for headless CMS teams. Processing is performed solely to deliver the Service as described in the Terms of Service.

2.2 Categories of Data Subjects

  • Customer employees and authorized users of the Service
  • Individuals whose personal data may appear in the Customer's CMS content (e.g., author names, contributor metadata)

2.3 Types of Personal Data

  • Account data: name, email address, organization name
  • Usage data: feature interactions, query history, timestamps
  • Technical data: IP address, browser type, device information
  • CMS metadata: author names, contributor identifiers, and other content metadata accessed via API keys provided by the Customer (used solely for read operations)

2.4 Duration

Processing continues for the duration of the Customer's use of the Service. Upon account cancellation or termination, all Personal Data is permanently deleted.

3. Obligations of the Processor

The Processor shall:

  • Process Personal Data only on documented instructions from the Controller, including with regard to transfers outside the EEA, unless required by applicable law
  • Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
  • Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk (see Security)
  • Not engage another processor without prior written authorization from the Controller (see Section 5 on Subprocessors)
  • Assist the Controller in fulfilling its obligation to respond to Data Subject rights requests
  • Assist the Controller in ensuring compliance with Articles 32–36 of the GDPR (security, breach notification, data protection impact assessments, prior consultation)
  • At the choice of the Controller, delete or return all Personal Data after the end of the provision of services, and delete existing copies unless storage is required by applicable law
  • Make available to the Controller all information necessary to demonstrate compliance with Article 28 and allow for and contribute to audits (see Section 8)

4. Obligations of the Controller

The Controller shall:

  • Ensure it has a lawful basis for processing Personal Data and for instructing the Processor to process it
  • Provide the Processor with documented processing instructions
  • Be responsible for the accuracy, quality, and legality of Personal Data provided to the Processor
  • Ensure that CMS API keys provided to the Processor are authorized for use and that the Controller has the right to grant read access to the associated CMS content

5. Subprocessors

The Controller provides general written authorization for the Processor to engage the subprocessors listed on our Security page.

The Processor shall:

  • Notify the Controller at least 30 days in advance of any intended addition or replacement of subprocessors, giving the Controller an opportunity to object
  • Impose data protection obligations no less protective than those in this DPA on any subprocessor
  • Remain fully liable to the Controller for the performance of each subprocessor's obligations

If the Controller objects to a new subprocessor within the 30-day notice period, the parties will work in good faith to find a resolution. If no resolution is reached, the Controller may terminate the Service without penalty.

6. Data Subject Rights

The Processor shall assist the Controller in fulfilling its obligations to respond to Data Subject requests exercising their rights under Chapter III of the GDPR, including:

  • Right of access (Article 15)
  • Right to rectification (Article 16)
  • Right to erasure (Article 17)
  • Right to restriction of processing (Article 18)
  • Right to data portability (Article 20)
  • Right to object (Article 21)

If the Processor receives a request from a Data Subject directly, it shall promptly redirect the request to the Controller unless legally prohibited from doing so.

7. Data Breach Notification

In the event of a personal data breach (as defined in Article 4(12) of the GDPR), the Processor shall:

  • Notify the Controller without undue delay, and in any event within 72 hours of becoming aware of the breach
  • Provide sufficient information to enable the Controller to fulfill its own breach notification obligations under Articles 33 and 34 of the GDPR
  • Cooperate with the Controller and take reasonable steps to mitigate the effects of the breach

Breach notifications will include:

  • Nature of the breach, including categories and approximate number of affected Data Subjects
  • Contact details of the Processor's point of contact
  • Likely consequences of the breach
  • Measures taken or proposed to address and mitigate the breach

8. Audits

The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.

Audit conditions:

  • The Controller shall provide at least 30 days' written notice before any audit
  • Audits shall be conducted during normal business hours and shall not unreasonably disrupt the Processor's operations
  • The Controller shall bear its own costs for any audit
  • Audit findings shall be treated as confidential information of the Processor

9. International Data Transfers

Customer data is stored and processed in the United States (AWS US West 2, Oregon). For transfers of Personal Data from the EEA, United Kingdom, or Switzerland to the United States:

  • The parties agree to the Standard Contractual Clauses (SCCs) adopted by the European Commission (Commission Implementing Decision 2021/914), which are incorporated by reference into this DPA
  • For UK transfers, the UK International Data Transfer Addendum to the EU SCCs applies
  • The Processor implements supplementary technical measures (encryption in transit and at rest, access controls, audit logging) to ensure an adequate level of data protection

A copy of the applicable SCCs is available upon request from privacy@unheadless.com.

10. Data Deletion & Return

Upon termination of the Service or upon the Controller's written request:

  • The Processor shall delete all Personal Data upon termination of the Service, unless applicable law requires continued storage
  • Prior to deletion, the Controller may request a data export in a structured, machine-readable format (JSON or CSV)
  • The Processor shall certify deletion upon the Controller's written request

11. Security Measures

The Processor implements the technical and organizational security measures described on our Security page, including:

  • TLS 1.3 encryption for all data in transit
  • AES-256 encryption for all data at rest
  • Bcrypt password hashing
  • Role-based access control with multi-tenant data isolation
  • Multi-factor authentication (MFA) available for all accounts; enforceable at the organization level for Enterprise customers
  • CSRF protection on all state-changing operations
  • Comprehensive audit logging of administrative actions
  • Secure, HttpOnly, SameSite session cookies

12. Liability & Governing Law

This DPA is governed by the same governing law and jurisdiction provisions as the Terms of Service. Each party's liability under this DPA is subject to the limitations of liability set out in the Terms of Service.

13. Contact

For questions about this DPA or to request a countersigned copy: